STMM: A Set Theory for Mechanized Mathematicsimps.mcmaster.ca/doc/stmm.pdf · STMM: A Set Theory for Mechanized Mathematics 3 2. Design Goals The following are six design goals for

STMM: A Set Theory for Mechanized Mathematics ∗

William M. Farmer ([email protected])Department of Computing and SoftwareMcMaster University1280 Main Street WestHamilton, Ontario, Canada L8S 4L7

5 October 2000

Abstract. Although set theory is the most popular foundation for mathematics, notmany mechanized mathematics systems are based on set theory. Zermelo-Fraenkel(zf) set theory and other traditional set theories are not an adequate foundation formechanized mathematics. stmm is a version of von-Neumann-Bernays-Godel (nbg)set theory that is intended to be a Set Theory for Mechanized Mathematics. stmmallows terms to denote proper classes and to be undefined, has a definite descriptionoperator, provides a sort system for classifying terms by value, and includes lambda-notation with term constructors for function application and function abstraction.This paper describes stmm and discusses why it is a good foundation for mechanizedmathematics.

Keywords: Set theory, nbg, higher-order logic, mechanized mathematics, theoremproving systems, partial functions, undefinedness, sorts.

1. Introduction

The mathematics process consists of formulating mathematical modelsand then exploring them by stating and proving conjectures and byperforming calculations. The goal of mechanized mathematics is toproduce computer systems that support and improve the mathematicsprocess. Today mechanized mathematics systems come in two majortypes. Computer algebra systems1 enable the user to perform manykinds of calculations, both symbolic and numeric. Theorem provingsystems2 assist the user in developing mathematical models in theform of axiomatic theories. The development is guided and checked byformally proving that certain conjectures are theorems of the theorybeing developed.

Set theory has been the most popular foundation for mathematicsfor the better part of the 20th century. Consequently, mathematiciansunderstand set theory quite well, and all serious mathematics practi-tioners are familiar with it to some degree. Although it is based on thetwo simple notions of set and membership, it is extremely expressive:

∗ Published in the Journal of Automated Reasoning, 26:269–289, 2001.

c© 2002 Kluwer Academic Publishers. Printed in the Netherlands.

stmm.tex; 12/11/2002; 9:00; p.1

2 Farmer

nearly all mathematical concepts can be expressed in terms of set andmembership. A large part of the success of set theory is due to therebeing a standard formalization known as Zermelo-Fraenkel (zf) settheory.

Set theory has not been a very popular foundation for mechanizedmathematics. Only a few mechanized mathematics systems are basedon set theory. These include the following:

1. The eves program verification system [10] based on zf.

2. M. Gordon’s augmentation of hol [23] with zf axioms [22].

3. N. Megill’s Metamath proof verifier [27] based on zf.

4. The Mizar proof development system [38] based on Tarski-Grothendieck set theory.3

5. L. Paulson’s implementation of zf [34] in the Isabelle generictheorem prover [35].

6. A. Quaife’s clausal formalization of von-Neumann-Bernays-Godel(nbg) set theory [36] in the Otter resolution theorem prover [26].

What is wrong with set theory as foundation for mechanized mathe-matics? Although classical set theories such as zf and nbg have greatexpressive power, they lack the practical machinery needed for mecha-nized mathematics. In particular, they do not provide built-in supportfor reasoning with functions and classifying terms by value (as typetheory does).

Is there a version of set theory that would be a suitable foundationfor mechanized mathematics? This paper addresses this question. Itgives a set of design goals that we would like a set theory for mechanizedmathematics to satisfy. We explain why zf and nbg do not satisfy allof these goals. We then propose a new Set Theory for MechanizedMathematics called stmm4 that does satisfy each of the design goals.After defining stmm, we discuss the support stmm offers for functions,issues concerning the implementation of stmm, and how stmm com-pares with other implemented set theories. The paper ends with a shortconclusion.

stmm.tex; 12/11/2002; 9:00; p.2

STMM: A Set Theory for Mechanized Mathematics 3

2. Design Goals

The following are six design goals for a set theory intended to serve asa logical foundation for mechanized mathematics:

Design Goal 1 (DG1). The set theory includes the standard machin-ery of predicate logic as well as the machinery of set theory.

In a set theory with the standard machinery of predicate logic, as-sertions about sets can be made that involve quantification and the ap-plication of predicates and operators. zf, nbg, and related set theoriessatisfy this first goal.

Design Goal 2 (DG2) Terms may denote both sets (small collections)and proper classes (big collections).

Many basic mathematical objects, such as the universe of sets andthe mapping that takes a set to its cardinality, are proper classes. Inzf, terms range over sets but not proper classes, while in nbg, termsrange over both sets and proper classes. (Proper classes are usuallyrepresented in zf by predicate symbols—which are not terms.) Thus,zf does not satisfy this goal, but nbg does.

Design Goal 3 (DG3) Terms may be undefined.

Undefined terms, like x/x where x = 0 and limx→∞ sinx, are acommon and unavoidable part of mathematics. They arise naturallyin mathematics practice from the use of partial functions and definitedescriptions. The direct use of undefined terms facilitates efficient, com-pact expression of many mathematical ideas. This is the reason thatundefined terms are commonly employed in informal mathematics.

In most set theories, including zf and nbg, terms are not allowed tobe undefined since the underlying logic is usually standard first-orderlogic. There are many approaches for dealing with partial functionsand undefinedness in formal logic. The major approaches are discussedin [11].

Design Goal 4 (DG4) There is a definite description operator forforming terms like the “the unique x that satisfies the property P”.

Definite description is a basic tool for defining mathematical con-cepts. It is employed in some fashion or another throughout mathe-matics. Set theories like zf and nbg do not normally contain a definitedescription operator. Definite descriptions are awkward in a system

stmm.tex; 12/11/2002; 9:00; p.3

4 Farmer

in which all terms must be defined because a nondenoting definitedescription like “the unique x such x 6= x” must denote some object.

Design Goal 5 (DG5) There is a built-in system for classifying termsby value (as there is in type theory).

A term classification system is very useful for providing some imme-diate information about the value of a term (e.g., that the term denotessome integer) before the value of term is known itself (e.g., that theterm denotes 17).

There is no built-in system for classifying terms by value in either zfor nbg. In particular, zf terms are an inadequate classification systembecause they denote sets, but not proper classes. Thus, for example,there is no term that can be a classification for the domain of allterms or a classification for the domain of terms that denote functions.Moreover, zf terms may denote the empty set. Allowing classificationsthat may be empty would severely complicate a classification systemfor terms. Such terms are hard to avoid since it is undecidable whetheran arbitrary zf term denotes the empty set.

Many mechanized mathematics systems are based on type theory.Type theory provides a system for classifying terms by value, but it alsoclashes with mathematics practice [25]. For example, in type theorythere are different operators for different types. When two types havesimilar structure, some of their operators may be similar to each other.For instance, an identity function on one type will behave the same asan identity function on another type. To deal with distinct operatorswith similar behavior, many type theories admit “polymorphic” opera-tors that may be applied to arguments of different types. Polymorphicoperators are seldom employed in mathematics practice since sets, andnot types, dominate mathematics. In a set theory like zf or nbg, thereis just one type (sets or classes), so there is no need for polymorphicoperators.

Design Goal 6 (DG6) There is good support for functions includinglambda-notation (or an equivalent notation) with term constructors forfunction application and function abstraction.

Functions, both partial and total, are just as basic to mathematicsas sets and need to be fully supported.

zf has poor support for functions. The set-theoretic machinery inzf is inadequate. Since terms denote sets but not proper classes, termscan represent some partial functions but not any total functions. Fur-thermore, there are no term constructors for function application andfunction abstraction as with lambda-notation. It would be awkward

stmm.tex; 12/11/2002; 9:00; p.4


to add function application and abstraction term constructors to asystem like zf in which all terms are defined. Since terms can representonly partial functions, many applications of a term denoting a functionwould be nondenoting.

The (first-order) logical machinery in zf is also inadequate. Operatorsymbols represent functions, but only total functions. Moreover, oper-ator symbols are not terms. There is a term constructor for operatorapplication but not for operator abstraction.

In summary, zf satisfies just DG1, and nbg satisfies only DG1 andDG2.

3. Overview of STMM

stmm is a version of von-Neumann-Bernays-Godel (nbg) set theory.As we shall see, stmm satisfies all six of the design goals given in thepreceding section.

In contrast to zf, variables in nbg range over both sets and properclasses. Thus, the universe of sets V and total functions from V toV like the cardinality function can be defined as terms in nbg eventhough they are proper classes. (A good introduction to nbg is foundin [28].)

nbg is closely related to zf. The underlying logic of both nbg and zfis first-order logic, and nbg and zf both share the same intuitive modelof the iterated hierarchy of sets. The nonlogical axioms of nbg are verysimilar to those of zf; most of them are simply zf axioms with some ofthe quantifiers restricted to sets. And there is a faithful interpretationof zf in nbg [32, 37, 40], which implies that zf is consistent iff nbg isconsistent. However, nbg is finitely axiomatizable ([21] and [28] presentfinite axiomatizations of nbg), while zf is not (see [24] or [30] for aproof).

As a version of nbg, stmm satisfies DG1 and DG2 and has thesame expressive power as nbg.

stmm has additional machinery that makes it much more appro-priate for mechanized mathematics than ordinary nbg. The additionalmachinery includes:

1. Support for undefined terms (so DG3 is satisfied).

2. A definite description operator (so DG4 is satisfied).

3. A system for classifying terms by value (so DG5 is satisfied).

4. Support for (partial and total) functions (so DG6 is satisfied).

stmm.tex; 12/11/2002; 9:00; p.5

6 Farmer

This machinery has the the same flavor as the special machinery oflutins [11, 12, 13], the logic of the imps Interactive MathematicalProof System [20, 17]. lutins closely corresponds to mathematics prac-tice and has proven to be an effective logic for formalizing traditionalmathematics (e.g., see [16]).

The following are the major ingredients of stmm. In contrast to zfand nbg, the underlying logic of stmm is Partial First-Order Logic(pfol), a version of first-order logic that admits partial functions andundefined terms (see [14, 15]). stmm contains the usual vocabulary andaxioms of nbg. It also contains a “sort system” for classifying terms byvalue that is similar to the sort system of lutins. Lastly, stmm has termconstructors for function application and function abstraction—whichprovides stmm with lambda-notation for reasoning with functions.

The ingredients of stmm are briefly discussed in the remainder ofthis section, and then stmm is defined in the next section.

3.1. PFOL

pfol is a formalization of what we call the traditional approach to par-tial functions [14]. pfol is closely related to the partial logics proposedby R. Schock [39], T. Burge [6, 7], M. Beeson [3, 4], and L. Monk [29].

The syntax of pfol is very similar to the syntax of ordinary first-order logic. pfol has the usual logical connectives (=,¬,∧,∨,⊃,≡,∀,∃)plus a definite description operator I. I is used to construct definitedescriptions, that is, terms of the form (Ix . ϕ). A term (Ix . ϕ) denotesthe unique x that satisfies ϕ if there is such an x and is undefinedotherwise.

The semantics of pfol is a modification of the semantics of ordinaryfirst-order logic. Although individual constants and predicate symbolshave the same semantics as usual, operator symbols are allowed todenote partial functions. Since definite descriptions and applications ofoperator symbols may be undefined, the valuation function on terms ispartial, but the valuation function on formulas is total. In particular,if p is an n-ary predicate symbol and t1, . . . , tn are terms, then theapplication p(t1, . . . , tn) will be false if any argument ti is undefined.

3.2. Classifying Terms

A sort is a syntactic object intended to denote a nonempty domainof values. In the case of stmm, these values are actually classes. Se-mantically, a sort is just a nonempty unary predicate. Like types, sortsare assigned to terms on the basis of their syntax, but unlike types,sorts may be assigned to nondenoting terms (i.e., terms that are not“type correct”). If a term t is assigned a sort α, then the value of t is a

stmm.tex; 12/11/2002; 9:00; p.6


member of the domain denoted by α provided t is defined. (Whether ornot a term is defined is an undecidable problem.) Thus, sorts provide ameans to classify terms by value that does not depend on whether theterms are defined or undefined.

3.3. Support for Functions

stmm provides especially good support for working with partial andtotal functions. As in zf and nbg, partial functions from sets to sets arerepresented in stmm as certain sets of ordered pairs. However, unlike zfand nbg, stmm has special machinery—lambda-notation and sorts—for directly manipulating terms that denote partial and total functionsand for keeping track of when an application of a function is definedand what kind of value an application of a function may have when itis defined.

The special machinery in stmm for reasoning with functions is dis-cussed in more detail in section 5.

3.4. Relationship to NBG

An alternate version of stmm, called nbg∗, is described in [14] anddefined in [15]. nbg∗ is defined in stages, while stmm is defined in adirect way. The purpose of nbg∗ is to illustrate precisely how it (andstmm) is related to nbg. It is for study, not use. stmm, on the otherhand, is intended to be a logic that can actually be implemented andused as a component of a mechanized mathematics system.

stmm and nbg∗ have the expressive power of nbg plus type-theoreticlike machinery. The theorem below, which follows from the resultsin [15], shows that this additional machinery is purely a convenience.

THEOREM 3.1. For every theory T of nbg∗, there is a theory ofordinary nbg T ∗ and a computable translation from each formula ϕof T to a formula ϕ∗ of T ∗ such that

T |= ϕ iff T ∗ |= ϕ∗.

stmm.tex; 12/11/2002; 9:00; p.7

8 Farmer

4. The Definition of STMM

4.1. Sort Systems

A sort is a syntactic object intended to denote a nonempty domain ofvalues. Sorts are used to classify terms by value.

The set of sort symbols built from a set S of atomic sort symbolswill be the set Ω(S) defined below.

Let S be a set of symbols. Ω(S) is the set defined by:

1. S ⊆ Ω(S).

2. If α, β ∈ Ω(S), then α β ∈ Ω(S).

A sort of the form α β is intended to denote the domain of partialfunctions from the domain denoted by α to the domain denoted by β.

Given a total function f : S → Ω(S), f is the smallest binaryrelation on Ω(S) such that:

1. If α ∈ S, then α f f(α).

2. f is reflexive, i.e., for all α ∈ Ω(S), α f α.

3. f is transitive, i.e., for all α, β, γ ∈ Ω(S), if α f β and β f γ,then α f γ.

4. If α1 f α2 and β1 f β2, then α1 β1 f α2 β2.

The intended meaning of α f β is that the domain denoted by α isincluded in the domain denoted by β.f is noetherian if every ascending sequence of members of Ω(S),

α1 f α2 f α3 f · · · ,

is eventually stationary, i.e., there is some m such that αi = αm for alli ≥ m. If f is noetherian, then f is obviously antisymmetric (i.e.,for all α, β ∈ Ω(S), if α f β and β f α, then α = β). Hence, f is apartial order if it is noetherian.

A sort system of stmm is a pair (A, ξ) where A is a set of symbolswith C,V ∈ A and ξ is a total function from A to Ω(A) such that:

1. For all α ∈ A, ξ(α) = α iff α = C.

2. ξ is noetherian.

C and V are intended to denote the domains of classes and sets, re-spectively. The relation ξ is not an absolutely necessary part of a sort

stmm.tex; 12/11/2002; 9:00; p.8


system. It is included for the sake of convenience; we will see later thebenefits that it offers.

A sort of (A, ξ) is any member of Ω(A). The sorts in A and Ω(A)\Aare called atomic sorts and compound sorts, respectively. The enclosingsort of α ∈ A is the sort ξ(α). The least upper bound of α and β,written αtξ β, is the least upper bound of α and β in the partial orderξ. (The least upper bound of two sorts is not always defined.) Themaximal sorts in ξ are C plus the compound sorts formed from Calone.

A function sort is either a compound sort or an atomic sort αsuch that α ξ β for some compound sort β ∈ Ω(A). A functionsort, whether atomic or compound, is intended to denote a domain ofpartial functions. The range sort of a function sort α, written ran(α),is defined as follows: if α = β γ, then ran(α) = γ; otherwise,ran(α) = ran(ξ(α)). (We leave it as an exercise to the reader to verifythat the notion of a range sort is well defined.)

A sort frame for (A, ξ) is a set Dα : α ∈ Ω(A) of nonemptydomains such that:

1. If α ξ β, then Dα ⊆ Dβ.

2. Dα ⊆ DC for all α ∈ Ω(A).

A sort frame is a “model” for a sort system. The relation ξ is used toplace a minimal structure on the members of a sort frame.

4.2. Syntax

A variable of stmm is a member of a fixed infinite set V of symbols. Alanguage of stmm is a tuple (C,O,P,A, ξ, σ) such that:

1. C is a set of individual constants.

2. O is a set of operator symbols, each with an assigned arity ≥ 1.O contains the binary operator symbol ordered-pair.

3. P is a set of predicate symbols, each with an assigned arity ≥ 1.P contains the unary predicate symbol function and the binarypredicate symbols = and ∈.

4. (A, ξ) is a sort system.

5. σ : V ∪ C → Ω(A) is total function such that

Vα = x ∈ V : σ(x) = α

is infinite for all α ∈ Ω(A).

stmm.tex; 12/11/2002; 9:00; p.9

10 Farmer

6. V, C, O, P, and A are pairwise disjoint.

In the remainder of this paper, let L = (C,O,P,A, ξ, σ) be alanguage of stmm. L is minimal if C = ∅, O = ordered-pair,P = function,=, ∈, and A = C,V.

Let L1 = (C1,O1,P1,A1, ξ1, σ1) and L2 = (C2,O2,P2,A2, ξ2, σ2) belanguages of stmm. L1 is a sublanguage of L2 if C1 ⊆ C2, O1 ⊆ O2,P1 ⊆ P2, A1 ⊆ A2, ξ1 is a subfunction of ξ2, and σ1 is a subfunctionof σ2.

A term of sort α of L and a formula of L are simultaneously de-fined by the rules below. varL[x, α] asserts that x ∈ V and α = σ(x),termL[t, α] asserts that t is a term of sort α of L, and formL[ϕ] assertsthat ϕ is a formula of L.

T1a ∈ V ∪ C

termL[a, σ(a)]

T2varL[x, α], formL[ϕ]termL[(Ix : α . ϕ), α]

T3formL[ϕ], termL[s, α], termL[t, β]

termL[if(ϕ, s, t), γ]

where γ =α tξ β if α tξ β is definedC otherwise

T4termL[f, α], termL[a, β]

termL[f [a], γ]

where γ =

ran(α) if α is a function sortV otherwise

T5varL[x, α], termL[t, β],

termL[(λx : α . t), α β]

T6o ∈ O is n-ary, termL[t1, α1], . . . , termL[tn, αn]

termL[o(t1, . . . , tn),C]

F1p ∈ P is n-ary, termL[t1, α1], . . . , termL[tn, αn]

formL[p(t1, . . . , tn)]

stmm.tex; 12/11/2002; 9:00; p.10


F2formL[ϕ]formL[¬ϕ]

F3formL[ϕ], formL[ψ]

formL[(ϕ ⊃ ψ)]

F4varL[x, α], formL[ϕ]formL[(∀x : α . ϕ)]

When t is a term, let σ(t) denote the sort of t. A term of the form(Ix : α . ϕ), if(ϕ, s, t), f [a], or (λx : α . t) is called a definite descrip-tion, conditional term, function application, or function abstraction,respectively. Notice that the relation ξ enables nontrivial sorts to beassigned to conditional terms and function applications in certain cases.

Parentheses in terms and formulas may be suppressed when meaningis not lost. For convenience, we also employ the following abbreviations:

(s = t) for = (s, t).(s 6= t) for ¬(s = t).(s ∈ t) for ∈ (s, t).(s 6∈ t) for ¬(s ∈ t).〈s, t〉 for ordered-pair(s, t).(ϕ ∧ ψ) for ¬(ϕ ⊃ ¬ψ).(ϕ ∨ ψ) for ¬ϕ ⊃ ψ.(ϕ ≡ ψ) for (ϕ ⊃ ψ) ∧ (ψ ⊃ ϕ).(∃x : α . ϕ) for ¬(∀x : α . ¬ϕ).2x1, . . . , xn : α . ϕ for 2x1 : α . . .2xn : α . ϕ

where 2 is ∀ or ∃.(t ↓ α) for ∃x : α . x = t

where x does not occur in t.(t↓) for (t ↓ σ(t)).(t↑) for ¬(t↓).(s ' t) for (s↓ ∨ t↓) ⊃ s = t.⊥α for Ix : α . x 6= x.(α β) for ∀x : α . (x ↓ β).

(t ↓ α), t↓, t↑, and s ' t are read as “t is defined in α”, “t is defined”, “tis undefined”, and “s and t are quasi-equal”.⊥α is a canonical undefinedterm of sort α, and (α β) says α is a subsort of β.

Let an expression of L be either a term or formula of L. “Freevariable”, “closed”, and similar notions are defined in the obvious way.A sentence is a closed formula.

stmm.tex; 12/11/2002; 9:00; p.11

12 Farmer

4.3. Semantics

We shall present the semantics of stmm in two stages. In the firststage, we introduce the “logic” portion of the semantics embodied inthe notion of a model of a stmm language. The logic portion of stmmis Partial First-Order Logic (pfol), which we discussed in section 3. Inthe second stage, we formulate the “set theory” portion of the semanticsby expressing the axioms of nbg set theory as stmm sentences and thendefining a stmm theory to be a stmm language plus a set of sentencesthat includes these axioms.

A structure for L is a pair (Dα : α ∈ Ω(A), I) where Dα : α ∈Ω(A) is a sort frame for (A, ξ) and I is a total function on C ∪O ∪Psuch that:

1. If a ∈ C, I(a) ∈ Dσ(a).

2. If o ∈ O is n-ary, I(o) is a partial function from DC × · · · × DC

(n times) to DC.

3. If p ∈ P is n-ary, I(p) is a total function from DC × · · · ×DC (ntimes) to t, f (the domain of truth values). I(=) is the identityrelation on DC.

Let M = (Dα : α ∈ Ω(A), I) be a structure for L. A variableassignment into M is a function that maps each x ∈ V to an elementof Dσ(x). Given a variable assignment A into M, x ∈ V, and d ∈ Dσ(x),let A[x 7→ d] be the variable assignment A′ into M such A′(x) = d andA′(y) = A(y) for all y 6= x.

Define V = VM to be the binary function such that the followingconditions are satisfied for all variable assignments A into M and allexpressions of L:

1. If t ∈ V, then VA(t) = A(t).

2. If t ∈ C, then VA(t) = I(t).

3. Let t = (Ix : α . ϕ). If there is a unique d ∈ Dα such thatVA[x 7→d](ϕ) = t, then VA(t) = d; otherwise VA(t) is undefined.

4. Let t = if(ϕ, t1, t2), γ = σ(t), and

t′ = Ix : γ . (ϕ ⊃ x = t1) ∧ (¬ϕ ⊃ x = t2)

where x does not occur in ϕ, t1, or t2. If VA(t′) is defined, thenVA(t) = VA(t′); otherwise VA(t) is undefined.

stmm.tex; 12/11/2002; 9:00; p.12


5. Let t = f [a], β = σ(t), and

t′ = I b : β . function(f) ∧ 〈a, b〉 ∈ f

where b does not occur in f or a. If VA(t′) is defined, then VA(t) =VA(t′); otherwise VA(t) is undefined.

6. Let t = (λx : α . s), β = σ(s), and

t′ = I g : α β . ∀x : α . if((x ↓ V) ∧ (s ↓ V), g[x] = s, g[x]↑)

where g does not occur in s. If VA(t′) is defined, then VA(t) =VA(t′); otherwise VA(t) is undefined.

7. Let t = o(t1, . . . , tn). If VA(t1), . . . , VA(tn) are definedand I(o) is defined at 〈VA(t1), . . . , VA(tn)〉, then VA(t) =I(o)(VA(t1), . . . , VA(tn)); otherwise VA(t) is undefined.

8. Let ϕ = p(t1, . . . , tn). If VA(t1), . . . , VA(tn) are defined, thenVA(ϕ) = I(p)(VA(t1), . . . , VA(tn)); otherwise VA(ϕ) = f.

9. Let ϕ = ¬ϕ′. If VA(ϕ′) = f, then VA(ϕ) = t; otherwise VA(ϕ) =f.

10. Let ϕ = (ϕ′ ⊃ ϕ′′). If VA(ϕ′) = t and VA(ϕ′′) = f, then VA(ϕ) =f; otherwise VA(ϕ) = t.

11. Let ϕ = (∀x : α . ϕ′). If VA[x 7→d](ϕ′) = t for all d ∈ Dα, thenVA(ϕ) = t; otherwise VA(ϕ) = f.

For an expression E, VMA (E) is called the value of E in M withrespect to A (when it is defined). Notice that VMA is a partial valuationfunction on terms but a total valuation function on formulas. A termt of L is defined in M with respect to A if its value VMA (t) is defined.A formula ϕ of L is valid in M if VMA (ϕ) = t for every variableassignment A intoM. Notice that the valuation function on conditionalterms, function applications, and function abstractions is defined ineach case in terms of the valuation function on definite descriptions.

If a term is defined (i.e., t↓ is valid), then t is defined in its assignedsort (i.e., (t ↓ σ(t))) by definition and is defined in C (i.e., (t ↓ C))since DC is the domain of classes, which includes every domain.M is a model for L if, for all α, β ∈ Ω(A),

∀ f : C . (f ↓ α β) ≡(function(f) ∧ (∀ a, b : C . f [a] = b ⊃ (a ↓ α) ∧ (b ↓ β)))

stmm.tex; 12/11/2002; 9:00; p.13

14 Farmer

is valid in M. That is, a model is a structure such that each Dαβ isthe domain of (partial) functions from Dα to Dβ. One can construct amodel for L by appealing to the fact that ξ is noetherian.

Space limitations prevent us from presenting an axiom system forthe logic portion of the semantics of stmm. It would be very similar tothe axiom system for pfol given in [15].

4.4. NBG Axioms

Let L be minimal. We present now an axiomatization of nbg as aset of sentences of L. Our axiomatization is very similar to the finiteaxiomatization of nbg given by K. Godel in [21]. The axiomatizationconsists of 31 axioms. The first 15 are definitions that define (usually)new symbols in terms of old symbols. The remaining 16 axioms are the“proper” axioms of nbg. We use the variables a, b, c to denote variablesof sort C and w, x, y, z to denote variables of sort V.

The first axiom defines V to be the domain of sets. (Recall that aset is a class that is a member of some other class.)

NBG1 (Definition of V) ∀x : C . (x ↓ V) ≡ ∃ y : C . x ∈ y.

The next fourteen axioms define the operator and predicate symbolsof nbg:

NBG2 (Definition of Pair) ∀ a, b : C . a, b '(Ix : V . (a ↓ V) ∧ (b ↓ V) ∧ ∀ y : V . y ∈ x ≡ (y = a ∨ y = b)).

NBG3 (Definition of Singleton) ∀ a : C . a ' a, a.

NBG4 (Definition of Ordered Pair) ∀ a, b : C . 〈a, b〉 'a, a, b.

NBG5 (Definition of Ordered Triple) ∀ a, b, c : C . 〈a, b, c〉 '〈a, 〈b, c〉〉.

NBG6 (Definition of Subset) ∀ a, b : C . a ⊆ b ≡(∀x : V . x ∈ a ⊃ x ∈ b).

NBG7 (Definition of Proper Subset) ∀ a, b : C . a ⊂ b ≡(a ⊆ b ∧ a 6= b).

NBG8 (Definition of Empty) ∀ a : C . empty(a) ≡ ∀x : V . x 6∈ a.

NBG9 (Definition of Univocal) ∀ a : C . univocal(a) ≡(∀x, y, z : V . (〈x, y〉 ∈ a ∧ 〈x, z〉 ∈ a) ⊃ y = z).

stmm.tex; 12/11/2002; 9:00; p.14


NBG10 (Definition of Function) ∀ a : C . function(a) ≡(univocal(a) ∧ ∀x : V . x ∈ a ≡ (∃ y, z : V . x = 〈y, z〉)).

NBG11 (Definition of Intersection) ∀ a, b : C . a ∩ b '(I c : C . ∀x : V . x ∈ c ≡ (x ∈ a ∧ x ∈ b)).

NBG12 (Definition of Complement) ∀ a : C . a '(I b : C . ∀x : V . x ∈ b ≡ x 6∈ a).

NBG13 (Definition of Domain) ∀ a : C . domain(a) '(I b : C . ∀x : V . x ∈ b ≡ (∃ y : V . 〈x, y〉 ∈ a)).

NBG14 (Definition of Sum Class) ∀ a : C . sum(a) '(I b : C . ∀x : V . x ∈ b ≡ (∃ y : V . x ∈ y ∧ y ∈ a)).

NBG15 (Definition of Power Class) ∀ a : C . power(a) '(I b : C . ∀x : V . x ∈ b ≡ x ⊆ a).

The first two proper axioms of nbg are:

NBG16 (Extensionality) ∀ a, b : C . (∀x : V . x ∈ a ≡ x ∈ b) ⊃a = b.

NBG17 (Pairing) ∀x, y : V . x, y↓.

The next group of axioms assert the existence of certain classes:

NBG18 (Membership Class) ∃ a : C . ∀x, y : V . 〈x, y〉 ∈ a ≡x ∈ y.

NBG19 (Intersection) ∀ a, b : C . (a ∩ b)↓.

NBG20 (Complement) ∀ a : C . a↓.

NBG21 (Domain) ∀ a : C . domain(a)↓.

NBG22 (Direct Product) ∀ a : C . ∃ b : C . ∀x, y : V . 〈x, y〉 ∈ b ≡x ∈ a.

NBG23 (Permutation 1) ∀ a : C . ∃ b : C . ∀x, y : V . 〈x, y〉 ∈ b ≡〈y, x〉 ∈ a.

NBG24 (Permutation 2) ∀ a : C . ∃ b : C . ∀x, y, z : V .〈x, y, z〉 ∈ b ≡ 〈y, z, x〉 ∈ a.

stmm.tex; 12/11/2002; 9:00; p.15

16 Farmer

NBG25 (Permutation 3) ∀ a : C . ∃ b : C . ∀x, y, z : V .〈x, y, z〉 ∈ b ≡ 〈x, z, y〉 ∈ a.

The next four axioms assert the existence of certain sets:

NBG26 (Infinity) ∃x : V . ¬empty(x) ∧(∀ y : V . y ∈ x ⊃ (∃z : V . z ∈ x ∧ y ⊂ z)).

NBG27 (Sum Set) ∀x : V . (sum(x) ↓ V).

NBG28 (Power Set) ∀x : V . (power(x) ↓ V).

NBG29 (Replacement) ∀ a : C . univocal(a) ⊃(∀x : V . ∃ y : V . ∀ z : V . z ∈ y ≡ (∃w : V . w ∈ x ∧ 〈w, z〉 ∈ a)).

The last two axioms are the axioms of foundation and global choice:

NBG30 (Foundation) ∀ a : C . ¬empty(a) ⊃(∃x : V . x ∈ a ∧ ∀ y : V . ¬(y ∈ x ∧ y ∈ a)).

NBG31 (Global Choice) ∃ f : C . function(f) ∧(∀x : V . ¬empty(x) ⊃ f [x] ∈ x).

Notes:

1. a, b and 〈a, b〉 are undefined whenever a is not a set or b is nota set.

2. In Godel’s axiomatization of nbg in [21], 〈x, y〉 represents a map-ping of y to x; in our axiomatization it represents a mapping ofx to y.

3. Axiom NBG22 says that, for all classes a, the direct producta× V is a class, where V is the class of all sets.

4. It is an exercise in p. 164 of [28] that the first permutationaxiom, NBG23, follows from axioms NBG21, NBG22, NBG24,and NBG25.

5. The axiom of foundation, NBG30, is dispensable and could bereplaced with an “antifoundation” axiom (see [1]).

6. The axiom of global choice, NBG31, implies the axiom of localchoice (as given, for example, in [28]).

stmm.tex; 12/11/2002; 9:00; p.16


4.5. Theories

Let L0 = (∅,O0,P0,A0, ξ0, σ0) be a stmm language such that:

1. O0 contains only the operator symbols defined in the axiomsabove.

2. P0 contains only =, ∈, and the predicate symbols defined in theaxioms above.

3. A0 = C,V.

Also let Γ0 = NBG1, . . . ,NBG31.A theory of stmm is a pair T = (L,Γ) where L is a language of

stmm such that L0 is a sublanguage of L and Γ is a set of sentencesof L such that Γ0 ⊆ Γ. The theory T 0 = (L0,Γ0) is called the kerneltheory of stmm. Let T = (L,Γ) be a theory of stmm. A model for Tis a model for L in which each ϕ ∈ Γ is valid. A formula ϕ of L is validin T , written T |= ϕ, if it is valid in every model for T .

5. Support for Functions

In this section, “mapping” means an arbitrary function, while “func-tion” means a particular kind of class that represents a function fromsets to sets and “operator” means a function from classes to classes.

5.1. Functions

A function in stmm is a univocal class of ordered pairs that representsa partial or total mapping from sets to sets. If the domain of a functionhappens to be a set, the function itself is a set. If the domain is aproper class, the function is a proper class. A function that is a set isnecessarily partial, while a total function is necessarily a proper class.A total function represents a mapping defined on all sets, such as themapping that takes a set to its cardinality. Mappings defined on all setsarise naturally in mathematics practice. In stmm, they are first-classobjects: they can be quantified over and represented by terms. Theyare not first-class objects in zf and related set theories that do notadmit proper classes.

5.2. Operators

An operator in stmm is a partial or total mapping from classes toclasses. Operator symbols denote operators, but in general terms do

stmm.tex; 12/11/2002; 9:00; p.17

18 Farmer

not. Since an operator symbol is not a term, predicate symbols andother operator symbols cannot be applied to them. This dichotomybetween terms denoting set mappings and operator symbols denotingclass mappings reflects a natural division between the different rolesmappings play in mathematics. A mapping that is to be reasonedabout—such as a mapping from the real numbers to the real numbers—is usually a class; in stmm it can be the value of a fully endowed term.A mapping that is only to assist in forming assertions—such as themapping that takes a function to its domain—may not be a class; instmm it can be the value of an operator symbol that can be used toform terms but is not a term itself.

5.3. Sorts

A sort α of L is a syntactic object that denotes a nonempty domain Dα

of classes. A sort can denote any nonempty domain specified by a unarypredicate symbol. The sorts of L in a stmm theory T = (L,Γ) form apartial order that extends the partial order ξ. If T |= α β, thenDα ⊆ Dβ is true in every model for T . In every theory, C, the sort ofclasses, is the maximum sort: α C for every sort α. A compoundsort α β denotes the domain of all functions from the sets in Dα

to the sets in Dβ. Hence, V V and C C both denote the entiredomain of functions. Since functions may be partial, α β α′ β′

whenever α α′ and β β′.Sorts are convenient for classifying terms by value. If a term t is

defined in a sort α (i.e., (t ↓ α) holds), then t denotes a class in Dα. Aterm may be defined in several sorts. For example, if (t ↓ α) and α β,then (t ↓ β). Like types, sorts are assigned to terms on the basis of theirsyntax, but unlike types, sorts may be assigned to nondenoting terms(i.e., terms which are not “type correct”). That is, every term t of L isassigned a sort σ(t) whether or not t is defined. A term t is defined inσ(t) provided t is defined.

5.4. Function Application

A function application of L is a term of the form f [a] where f and aare terms of L. A function application f [a] is intended to denote theresult of applying a function denoted by f to an argument denoted bya. Regardless of what values f and a have, f [a] is a legitimate, well-formed term. However, f [a] is defined only if f denotes a function anda denotes a set in the domain of the denotation of f . If α = σ(f) is afunction sort, β = σ(f [a]) is the range sort of α; otherwise β = V, thesort of sets.

stmm.tex; 12/11/2002; 9:00; p.18


Function applications provide stmm with the means to expressstatements involving functions in a very concise manner. For example,the sentence

∀x, y : R .√x = y ⊃ x = y2,

where R denotes the set of real numbers, says that the square of asquare root of a number is the number itself. There is no need tomention that the domain of the square function is the set of nonnegativereal numbers since

√x = y is true only if

√x is defined. In traditional

set theories like zf and nbg, the application of a set representing afunction can only be expressed in a verbose, indirect way with the useof quantifiers.

5.5. Function Abstraction

A function abstraction of L is a term of the form (λx : α . t). When(λx : α . t) is defined, it denotes a function in the denotation of itsassigned sort α σ(t). Together, function applications and functionabstractions constitute a convenient lambda-notation for applying anddefining classes which denote functions.

5.6. Definite Description

A definite description of L is a term of the form (Ix : α . ϕ). Since adefinite description (Ix : α . ϕ) is defined only if there is a unique xsatisfying ϕ, definite descriptions are exceedingly useful for specifyingfunctions, especially partial functions. For example,

λx : R . I y : R . 0 ≤ y ∧ y ∗ y = x,

where R denotes the set of real numbers, specifies the standard squareroot function over the real numbers.

6. Implementation

For the most part, stmm can be implemented like other logics havingquantifiers and lambda-notation. However, some of the less commonaspects of stmm—undefined terms, definite descriptions, and sorts—require special implementation techniques.

6.1. Undefined Terms and Sorts

The undefined terms and sorts of stmm can be implemented in the sameway the undefined terms and sorts of lutins are implemented in imps.

stmm.tex; 12/11/2002; 9:00; p.19

20 Farmer

Reasoning in stmm (like lutins) involves proving many obligations ofeither the form t ↓ or (t ↓ α). (Recall that t ↓ is an abbreviation for(t ↓ σ(t)).) For example, before a definite description (Ix : α . t) canbe “opened up”, one must prove (Ix : α . t)↓. Also, an assumption ofthe form (∀x : α . ϕ) can be instantiated with a term t only if one canprove (t ↓ α).

An implementation requires an automated mechanism for quicklydetermining the truth status of definedness goals of the form t↓ and sortdefinedness goals of the form (t ↓ α). The mechanism in imps for thisis built into the imps theory-specific expression simplifier [17, 18, 19].It is able to discharge the great majority of the definedness and sortdefinedness obligations that arise during the course of an imps proof.A similar simplifier-based mechanism could be incorporated into animplementation of stmm.

6.2. Definite Descriptions

Proving assertions containing definite descriptions can be tricky. Spe-cial machinery is needed, for instance, for “opening up” definite de-scriptions known to be defined, handling definite descriptions whosedefinedness is not known, and simplifying expressions containing def-inite descriptions of the form (Ix : α . x = t). Chapter 15 of [18]discusses the definite description machinery implemented in imps. Thismachinery could also be used in an implementation of stmm.

6.3. Little Theories

The little theories method is a version of the axiomatic method in whicha complex system or body of knowledge is described as a network ofaxiomatic theories linked by theory interpretations. The paper [16]argues that the little theories approach is highly desirable for mech-anized mathematics and describes how imps supports it. stmm couldbe implemented with little theories much like imps. One would have todefine the notion of an interpretation of one stmm theory in another(see [13]).

A simple approach would be to define an interpretation of a theoryT 1 in a theory T 2 to be a function that maps the individual constants ofT 1 to appropriate terms of T 2 and the atomic sorts of T 1 to appropriatesorts, unary predicates, and terms of T 2. Moreover, an interpretationwould be required to leave the kernel theory fixed. Operator and pred-icate symbols would remain fixed and would be defined only in thekernel theory. Since the kernel theory is a subtheory of every otherstmm theory, all stmm theories would have the same basic set-theoretic

stmm.tex; 12/11/2002; 9:00; p.20


machinery and, in particular, the same operator and predicate symbolsdefined in the same way.

6.4. Implementation in IMPS

stmm has been implemented in imps by using the imps logic lutins, apartial version of higher-order logic, in place of pfol. The sort systemfor stmm is inherited from the sort system for lutins with compoundsorts of stmm represented by atomic sorts of lutins. As a consequence,the support in imps for compound sorts of lutins is not extendedto compound sorts of stmm. This is a significant shortcoming of theimplementation that can be fixed only by modifying imps itself.

7. Comparison with Other Implemented Set Theories

As we have shown, stmm is a hybrid system fashioned from the follow-ing components:

1. pfol.

2. nbg.

3. A lutins-style sort system.

4. Lambda-notation.

The components of stmm are certainly not novel, but the idea of usingthem together and the way they are combined are novel.

Unlike stmm, none of the six set theories implemented in the mecha-nized mathematics systems listed in section 1 satisfies all of the designgoals given in section 2. In particular, none of them satisfies DG3and only Quaife’s version of nbg satisfies DG2. zf, nbg, and relatedset theories can be modified to minimally satisfy DG4–6. However,as we noted in section 2, definite description operators, systems forclassifying terms by value, and operators for function application andabstraction are awkward in set theories that do not admit proper classesand undefined terms. By virtue of satisfying both DG2 and DG3,stmm satisfies DG4–6 more effectively than traditional set theories.

As a foundation for mechanized mathematics, stmm is actuallymuch closer to lutins than to any of the six implemented set theories.Although lutins is a version of Church’s simple type theory, it canbe viewed as a set theory since sets can be formalized in simple typetheory as characteristic functions (in one way or another). As such,lutins satisfies all the design goals except DG2. Nevertheless, lutins

stmm.tex; 12/11/2002; 9:00; p.21

22 Farmer

is formally less expressive than stmm since simple type theory is lessexpressive than zf. Also, in lutins polymorphism is a concern becausethere is more than one type, while in stmm terms denoting functionsare effectively polymorphic operators because they can be applied toall sets. stmm has all the virtues of lutins as well as the full powerof nbg set theory. Moreover, any mathematical reasoning performed inlutins can be directly transferred to stmm.

8. Conclusion

We have presented a version of nbg set theory that is intended to serveas a foundation for mechanized mathematics. It is based on familiar,well-understood ideas and principles from predicate logic and mathe-matics practice. It has the same expressive power as the zf and nbgset theories and the same convenient machinery for reasoning aboutfunctions as lutins, the logic of imps. It also has a sort system forclassifying terms by value, like lutins’s sort system, that is not amajor departure from traditional set theory. And, finally, it can beimplemented in much the same way that lutins is implemented inimps.

A mechanized mathematics system based on a set theory like stmmwould be an asset for mechanized mathematics. Since set theory isfamiliar to nearly all mathematics practitioners, a system based on settheory would likely be more accessible to ordinary students, scientists,and engineers than systems based on type theory. Also, mathemati-cians might be more inclined to participate in mechanized mathematicsif there were more and better mechanized mathematics systems thatcommunicated using set theory.

Notes

1 Examples include Maple [8] and Mathematica [42].2 Examples include Automath [31], Coq [2], eves [10], hol [23], imps [20, 17],

Isabelle [35], Mizar [38], Nqthm [5], Nuprl [9], Otter [26], and pvs [33].3 Tarski-Grothendieck set theory is zf plus an axiom due to A. Tarski [41] that

asserts the existence of universes—sets closed under the usual set-theoretic opera-tions.

4 Pronounced as the word “stem”.

stmm.tex; 12/11/2002; 9:00; p.22


Acknowledgements

The author expresses special thanks to Dr. Joshua Guttman for hisassistance in the development of stmm.

References

1. P. Aczel. Non-Well-Founded Sets. CSLI Publications, Stanford, 1988.2. B. Barros et al. The Coq proof assistant reference manual, ver-

sion 6.1. Available at ftp://ftp.inria.fr/INRIA/coq/V6.1/doc/

Reference-Manual.dvi.gz, 1997.3. M. Beeson. Formalizing constructive mathematics: Why and how? In

F. Richman, editor, Constructive Mathematics: Proceedings, New Mexico, 1980,volume 873 of Lecture Notes in Mathematics, pages 146–190. Springer-Verlag,1981.

4. M. J. Beeson. Foundations of Constructive Mathematics. Springer-Verlag,Berlin, 1985.

5. R. Boyer and J Moore. A Computational Logic Handbook. Academic Press,1988.

6. T. Burge. Truth and Some Referential Devices. PhD thesis, PrincetonUniversity, 1971.

7. T. Burge. Truth and singular terms. In K. Lambert, editor, PhilosophicalApplications of Free Logic, pages 189–204. Oxford University Press, 1991.

8. B. W. Char, K. O. Geddes, G. H. Gonnet, B. L. Leong, M. B. Monagan, andS. M. Watt. Maple V Language Reference Manual. Springer-Verlag, 1991.

9. R. L. Constable, S. F. Allen, H. M. Bromley, W. R. Cleaveland, J. F. Cremer,R. W. Harper, D. J. Howe, T. B. Knoblock, N. P. Mendler, P. Panangaden,J. T. Sasaki, and S. F. Smith. Implementing Mathematics with the Nuprl ProofDevelopment System. Prentice-Hall, Englewood Cliffs, New Jersey, 1986.

10. D. Craigen, S. Kromodimoeljo, I. Meisels, B. Pase, and M. Saaltink. eves: Anoverview. Technical Report CP-91-5402-43, ORA Corporation, 1991.

11. W. M. Farmer. A partial functions version of Church’s simple theory of types.Journal of Symbolic Logic, 55:1269–91, 1990.

12. W. M. Farmer. A simple type theory with partial functions and subtypes.Annals of Pure and Applied Logic, 64:211–240, 1993.

13. W. M. Farmer. Theory interpretation in simple type theory. In J. Heeringet al., editor, Higher-Order Algebra, Logic, and Term Rewriting, volume 816 ofLecture Notes in Computer Science, pages 96–123. Springer-Verlag, 1994.

14. W. M. Farmer. Reasoning about partial functions with the aid of a computer.Erkenntnis, 43:279–294, 1995.

15. W. M. Farmer and J. D. Guttman. A set theory with support for partialfunctions. Studia Logica, 66:59–78, 2000.

16. W. M. Farmer, J. D. Guttman, and F. J. Thayer. Little theories. In D. Ka-pur, editor, Automated Deduction—CADE-11, volume 607 of Lecture Notes inComputer Science, pages 567–581. Springer-Verlag, 1992.

17. W. M. Farmer, J. D. Guttman, and F. J. Thayer. imps: An InteractiveMathematical Proof System. Journal of Automated Reasoning, 11:213–248,1993.

stmm.tex; 12/11/2002; 9:00; p.23

24 Farmer

18. W. M. Farmer, J. D. Guttman, and F. J. Thayer. The imps user’s man-ual. Technical Report M-93B138, The mitre Corporation, 1993. Available athttp://imps.mcmaster.ca/.

19. W. M. Farmer, J. D. Guttman, and F. J. Thayer. Contexts in mathematicalreasoning and computation. Journal of Symbolic Computation, 19:201–216,1995.

20. W. M. Farmer, J. D. Guttman, and F. J. Thayer Fabrega. imps: An up-dated system description. In M. McRobbie and J. Slaney, editors, AutomatedDeduction—CADE-13, volume 1104 of Lecture Notes in Computer Science,pages 298–302. Springer-Verlag, 1996.

21. K. Godel. The Consistency of the Axiom of Choice and the GeneralizedContinuum Hypothesis with the Axioms of Set Theory, volume 3 of Annalsof Mathematical Studies. Princeton University Press, 1940.

22. M. Gordon. Set theory, higher order logic or both? In J. Grundy andJ. Harrison, editors, Theorem Proving in Higher Order Logic: 9th InternationalConference, TPHOLs’96, volume 1125 of Lecture Notes in Computer Science,pages 191–202. Springer-Verlag, 1996.

23. M. J. C. Gordon and T. F. Melham. Introduction to HOL: A Theorem ProvingEnvironment for Higher Order Logic. Cambridge University Press, 1993.

24. K. Kunen. Set Theory: An Introduction to Independence Proofs. North-Holland, 1980.

25. L. Lamport and L. C. Paulson. Should your specification language be typed?ACM Transactions on Programming Languages and Systems, 21:502–526, 1999.

26. W. McCune. otter 2.0. In M. E. Stickel, editor, 10th International Conferenceon Automated Deduction, volume 449 of Lecture Notes in Computer Science,pages 663–664. Springer-Verlag, 1990.

27. N. D. Megill. Metamath: A Computer Language for Pure Mathematics. 1997.Available at http://www.shore.net/~ndm/java/mm.html.

28. E. Mendelson. Introduction to Mathematical Logic. Van Nostrand, 1964.29. L. G. Monk. pdlm: A Proof Development Language for Mathematics. Technical

Report M86-37, The mitre Corporation, Bedford, Massachusetts, 1986.30. R. Montague. Semantic closure and non-finite axiomatizability. In Infinitistic

Methods, pages 45–69. Pergamon, 1961.31. R. P. Nederpelt, J. H. Geuvers, and R. C. De Vrijer, editors. Selected Pa-

pers on Automath, volume 133 of Studies in Logic and The Foundations ofMathematics. North Holland, 1994.

32. I. L. Novak. A construction for models of consistent systems. FundamentaMathematicae, 37:87–110, 1950.

33. S. Owre, S. Rajan, J. M. Rushby, N. Shankar, and M. Srivas. PVS: Combin-ing specification, proof checking, and model checking. In R. Alur and T. A.Henzinger, editors, Computer Aided Verification: 8th International Conference,CAV ’96, volume 1102 of Lecture Notes in Computer Science, pages 411–414.Springer-Verlag, 1996.

34. L. C. Paulson. Set theory for verification: I. From foundations to functions.Journal of Automated Reasoning, 11:353–389, 1993.

35. L. C. Paulson. Isabelle: A Generic Theorem Prover, volume 828 of LectureNotes in Computer Science. Springer-Verlag, 1994.

36. A. Quaife. Automated deduction in von Neumann-Bernays-Godel set theory.Journal of Automated Reasoning, 8:91–147, 1993.

37. J. B. Rosser and H. Wang. Non-standard models for formal logics. Journal ofSymbolic Logic, 15:113–129, 1950.

stmm.tex; 12/11/2002; 9:00; p.24


38. P. Rudnicki. An overview of the mizar project. Technical report, Departmentof Computing Science, University of Alberta, 1992.

39. R. Schock. Logics without Existence Assumptions. Almqvist & Wiksells,Stockholm, Sweden, 1968.

40. J. Shoenfield. A relative consistency proof. Journal of Symbolic Logic, 19:21–28,1954.

41. A. Tarski. Uber unerreichbare Kardinalzahlen. Fundamenta Mathematicae,30:68–89, 1938.

42. S. Wolfram. Mathematica: A System for Doing Mathematics by Computer.Addison-Wesley, 1991.

stmm.tex; 12/11/2002; 9:00; p.25

stmm.tex; 12/11/2002; 9:00; p.26

Documents

STMM: A Set Theory for Mechanized Mathematicsimps.mcmaster.ca/doc/stmm.pdf · STMM: A Set Theory for Mechanized Mathematics 3 2. Design Goals The following are six design goals for